commit patchinfo.17291 for openSUSE:Leap:15.2:Update

Fri, 24 Dec 2021 07:52:14 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package patchinfo.17291 for 
openSUSE:Leap:15.2:Update checked in at 2021-12-24 16:51:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:Update/patchinfo.17291 (Old)
 and      /work/SRC/openSUSE:Leap:15.2:Update/.patchinfo.17291.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "patchinfo.17291"

Fri Dec 24 16:51:59 2021 rev:1 rq:942256 version:unknown

Changes:
--------
New Changes file:

NO CHANGES FILE!!!

New:
----
  _patchinfo

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ _patchinfo ++++++
<patchinfo incident="17291">
  <issue tracker="bnc" id="1193795">VUL-0: CVE-2021-42550: logback: remote code 
execution through JNDI call from within its configuration file</issue>
  <issue tracker="cve" id="2021-44228"/>
  <packager>fstrba</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for logback</summary>
  <description>This update for logback fixes the following issues:

Upgrade to version 1.2.8

+ In response to log4Shell/CVE-2021-44228, all JNDI lookup code in logback
  has been disabled until further notice. This impacts
  ContextJNDISelector and insertFromJNDI element in
  configuration files.
+ Also in response to log4Shell/CVE-2021-44228, all database (JDBC) related
  code in the project has been removed with no replacement.
+ Note that the vulnerability mentioned in LOGBACK-1591 requires
  write access to logback's configuration file as a
  prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591
  are of different severity levels. A successful RCE requires
  all of the following conditions to be met:
  - write access to logback.xml
  - use of versions lower then 1.2.8
  - reloading of poisoned configuration data, which implies
    application restart or scan="true" set prior to attack

This update was imported from the SUSE:SLE-15-SP2:Update update 
project.</description>
</patchinfo>

Reply via email to